Re: [SRI] format of the integrity attribute

On 30 January 2015 at 17:52, Francois Marier <francois@mozilla.com> wrote:
> In other words, the integrity attribute would be:
>
> - whitespace-delimited list of tokens
> - tokens are either a CSP2 hash-source, or an option
> - options token consists of: name + semicolon + value (no whitespace)
> - the only value option name right now is "type" (or perhaps "ct"?)
> - none of the options are mandatory

None of your example show this, but hash-source has single quotes
around it: https://w3c.github.io/webappsec/specs/content-security-policy/#hash_source

Without the quotes, a hash-source for a new hash algorithm is going to
marginally harder to distinguish from an option, so I think that's
good.

integrity = integrity-value *(" " integrity-value)
integrity-value = hash-source / content-type
content-type = "type:" mime-media-type ; reference TBD

I note that all of your examples use base64.  The ni URL uses
base64url.  I have a small (small) preference for base64url without
padding.  Is there any reason to pick one over the other?

Received on Saturday, 31 January 2015 03:03:28 UTC